K.Mandla's blog of Linux experiences

I, for one, am glad

That’s right, you heard me: I’m glad. I’m glad someone put together a subversive script, packaged it as a deb file, and released it on gnome-look.org. Cheers, I say.

Sure, it’s unfortunate that some Ubuntu users installed it thinking it was a screensaver, and then discovered it was grabbing something bad from some faraway site, and implanting it in their system. And yes, it’s completely unethical and therefore a Very Bad Thing to do that, but to be honest, we need to get past the “I use Linux, I am therefore bulletproof” mentality.

I’m not calling anyone dumb. I merely want to make a point. I’m glad because every list of reasons to use Linux includes that “no viruses, no malware” clause. But truth be told, most Windows systems that are properly maintained and carefully managed can go quite some time making the same claim.

And part of “carefully managed” is the idea that you don’t arbitrarily install software from untrusted sources or repositories, no matter what OS you run. I can remember a few years ago when someone set up an Ubuntu repository that included an update to the wallpaper for the standard Gnome desktop — and the image that was installed was a giant warning not to install software from unreliable repositories. No harm done, and the lesson was learned.

My point is that somebody still has to press the buttons before the machine becomes a threat to itself. Let’s face it, the real danger to a computer system isn’t the hardware and usually isn’t the software. It’s the human on the other side of the screen who poses a real threat. Left alone with no interference and a computer — any computer, regardless of operating system — will likely continue to idle for decades, or until its components finally stop working or someone accidentally unplugs the thing.

But insert a human into the equation, and suddenly all bets are off. Security be damned, the fact of the matter is that you, and I, are the weakest link.

So let’s move past the idea that a Linux system is able to walk on water, or that you and I are both somehow impervious to human fallacy because we chose a superior operating system. As long as we sit behind at the keyboard, the risk remains that one of us, you or I, will delude ourselves into thinking the machine is unsinkable, and suddenly prove ourselves wrong.

And the day someone finally puts together a virus with some real teeth in it, and dumps it on the Linux public? Well, that will be a happy day too. But for different reasons.😈

This is what I’ve been telling everyone for such a long time; antivirus software is a placebo. I’ve worked for a year and a half with Vista and I never had a single virus, or antivirus software for that matter.
The same thing goes for Linux. The virus problem doesn’t lie with the software, but with users. People don’t want to (because they are lazy) but it’s the user whose mentality has to change. On the internet, you don’t trust everyone and you don’t click everything.

Not to sound rude, but how do you know you’ve never had a virus even with so-called antivirus software? Antivirus software detects only known malware… and then not all known malware… and then also false positives.

so many times have i been tempted to install some new cool thing circulating around the web. but every single time i see that sudo, i back off.
But how this was carried out is interesting. going through a package manager to gain root access while appearing as a harmless package on a somewhat official-looking site. I think I would’ve fallen for that one.

Is it unreasonable to tell your elderly grandmother that she’s less at risk of getting malware when on Linux or Mac? Also, does an inexperienced end user need to get a trojan horse for them to be taught about security?

Also, I love the last little snide comment you leave. Because it underscores the idea that a lot of people seem to have: that malware has no economic effect, that what happens on computers isn’t real and that everyone uses a computer is a fellow “hacker.”

This post wasn’t about the ill effect of viruses on the economy or whatever. This post was about the mentality that Linux is somehow immune to every virus and that you can do whatever you want. Like I said earlier, it all depends on the user working on the pc.

I don’t know any sysadmins that believe that computers are immune to trojan horses. If they do, then yes they need to be disabused of that belief.

But there’s no point in penalizing general users with a trojan horse to teach them some sort of lesson. Maybe I have a different definition of general user than you do, but when I think of general user, I think of the person that thinks the browser is the internet.

“And the day someone finally puts together a virus with some real teeth in it, and dumps it on the Linux public? Well, that will be a happy day too. But for different reasons.”

That’s what I’m taking issue with. What’s the point? And I’m sorry for freaking out, but I’m getting fed up with people that are all right with malware. It’s caused irreparable damage for some of my best friends: destroyed novels, homework and photos. Maybe along with this misguided parable about a trojan being okay because it teaches people to be secure, we should teach people about the importance of backing up.

“I can remember a few years ago when someone set up an Ubuntu repository that included an update to the wallpaper for the standard Gnome desktop — and the image that was installed was a giant warning not to install software from unreliable repositories. No harm done, and the lesson was learned.”

This is not comparable to using a fake package to set up a botnet. I recall the incident in question, and the point of it was that that particular package was not authenticated, and that the user should not have installed it from the repository (a message stating the package was not authenticated was generated by apt-get, aptitude and/or synaptic warning the user). This was done as an object lesson in paying attention to the existing safeguards.

This is not the same thing as lying to the gnome-look website and the entire user base of that site about the contents and purpose of a package, abusing the trust of the users, tarnishing the image of the site, and generally being a person completely devoid of common decency. Frankly, if gnome-look derives any revenue from use or page views, and if they see a drop in that revenue due to the bad publicity this will generate (helped along by Microsoft fluffers, no doubt, should they catch wind of it), they should sue the uploader to recover damages.

Please understand: altering a wallpaper image to make a point about existing safeguards on a signed package that *says it contains a wallpaper* is not the same thing as uploading a package containing software designed to set the stage for a Denial Of Service attack (1), and *lying to people so they’ll think it’s a screensaver*!

1. From the script creator’s website: “If your reading this from coming from that ubuntu forums place, Well done you saw right thourgh my “Screensaver” cough cough wink wink, I can tell you this. Basically after getting some scripts to run upon start up, It then sets to work downloading another file, This can be changed on my server so in essence i could do whatever i like on your computer, But i only really want to perfrom a DOS (denial of service) attack, For no reason I’m attacking mmowned.com, Just using it as a test. Hats Off!”